Fail2ban
From CVL Wiki
(→Fail2ban) |
(→Removing Fail2ban Block) |
||
(20 intermediate revisions by one user not shown) | |||
Line 2: | Line 2: | ||
We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts. | We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts. | ||
+ | |||
+ | ==Removing Fail2ban Block== | ||
If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables. | If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables. | ||
Line 13: | Line 15: | ||
Code: | Code: | ||
− | Chain fail2ban- | + | Chain fail2ban-SSH (1 references) |
num target prot opt source destination | num target prot opt source destination | ||
1 DROP all -- 204.110.13.107 anywhere | 1 DROP all -- 204.110.13.107 anywhere | ||
Line 27: | Line 29: | ||
iptables -D '''[chain-name]''' '''[line-number]''' | iptables -D '''[chain-name]''' '''[line-number]''' | ||
− | To unban the IP address 1.234.20.21, the command would be: | + | To unban the IP address 1.234.20.21 (see above), the command would be: |
Code: | Code: | ||
− | iptables -D fail2ban- | + | iptables -D fail2ban-SSH 2 |
+ | |||
+ | Reference: | ||
+ | http://www.howtoforge.com/forums/showthread.php?t=51366&page=2 | ||
+ | |||
+ | ==Installing Fail2ban== | ||
+ | |||
+ | ===OS X=== | ||
+ | |||
+ | This is an advanced setup, and requires using the terminal to install and modify files. | ||
+ | |||
+ | <ol> | ||
+ | <li> Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads</li> | ||
+ | <li> Unpack by double clicking or command line</li> | ||
+ | $ tar xvfj fail2ban-0.8.14.tar.bz2 | ||
+ | <li>Go into the folder and run the following command to install Fail2ban</li> | ||
+ | $ cd fail2ban-0.8.14 | ||
+ | $ sudo python setup.py install | ||
+ | <li>Copy the init scipt to the launchdaemon directory</li> | ||
+ | $ sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist | ||
+ | <li>Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with ''<?xml ...''</li> | ||
+ | $ sudo nano /Library/LaunchDaemons/org.fail2ban.plist | ||
+ | <li>Make a log file and give it proper permissions</li> | ||
+ | $ sudo touch /var/log/fail2ban.log | ||
+ | $ sudo chgrp admin /var/log/fail2ban.log | ||
+ | <li>Add these two lines to /etc/pf.conf</li> | ||
+ | table <fail2ban> persist | ||
+ | block drop log quick from <fail2ban> to any | ||
+ | <li>Create /etc/fail2ban/jail.local file. Working jail.local file can be downloaded here ###needs url###</li> | ||
+ | <li>Shutdown pf, reload the configuration and restart</li> | ||
+ | $ sudo pfctl -d | ||
+ | $ sudo pfctl -f /etc/pf.conf | ||
+ | $ sudo pfctl -e | ||
+ | <li>Edit the following lines in /etc/sshd_config</li> | ||
+ | useDNS no | ||
+ | PermitRootLogin no | ||
+ | <li>Start the fail2ban client</li> | ||
+ | $ sudo /usr/local/bin/fail2ban-client start | ||
+ | <li>Check your fail2ban logfile in Console.app or look at the pf fail2ban table to see if any addresses are blocked</li> | ||
+ | $ sudo pfctl -t fail2ban -T show | ||
+ | <li></li> | ||
+ | </ol> | ||
+ | |||
+ | |||
+ | |||
+ | =====Optional Installs===== | ||
+ | # Install [[IceFloor]] | ||
+ | # Install Xcode and MacPorts: https://guide.macports.org/chunked/installing.html | ||
+ | |||
+ | |||
+ | add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf | ||
+ | ^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$ |
Latest revision as of 10:40, 7 February 2015
Contents |
[edit] Fail2ban
We use the package fail2ban on all of our linux machines to help prevent ssh password brute-forcing. This package will block an IP address after a certain number (usually 10) of failed attempts.
[edit] Removing Fail2ban Block
If your address has been accidentally blocked on a server, and you are able to log in and control the server (usually via a different computer) you can remove your banned IP address from iptables.
To unban an IP address manually, it is necessary to know the chain name and the rule number. The following command can be used to acquire this information:
Code:
iptables -L -n --line-numbers
The relevant bits are at the end of the output. Here is an example chain with attendant rules:
Code:
Chain fail2ban-SSH (1 references) num target prot opt source destination 1 DROP all -- 204.110.13.107 anywhere 2 DROP all -- 1.234.20.21 anywhere 3 DROP all -- gw-tair-rp.rel.com.ua anywhere 4 RETURN all -- anywhere anywhere
In this example, three (3) IP addresses have been banned via the SSH jail (these are the DROP rules).
To unban an IP address, you would run the following command:
Code:
iptables -D [chain-name] [line-number]
To unban the IP address 1.234.20.21 (see above), the command would be:
Code:
iptables -D fail2ban-SSH 2
Reference: http://www.howtoforge.com/forums/showthread.php?t=51366&page=2
[edit] Installing Fail2ban
[edit] OS X
This is an advanced setup, and requires using the terminal to install and modify files.
- Download the latest official source tarball: http://www.fail2ban.org/wiki/index.php/Downloads
- Unpack by double clicking or command line
- Go into the folder and run the following command to install Fail2ban
- Copy the init scipt to the launchdaemon directory
- Open the org.fail2ban.plist and delete the first two lines, such that the first line starts with <?xml ...
- Make a log file and give it proper permissions
- Add these two lines to /etc/pf.conf
- Create /etc/fail2ban/jail.local file. Working jail.local file can be downloaded here ###needs url###
- Shutdown pf, reload the configuration and restart
- Edit the following lines in /etc/sshd_config
- Start the fail2ban client
- Check your fail2ban logfile in Console.app or look at the pf fail2ban table to see if any addresses are blocked
$ tar xvfj fail2ban-0.8.14.tar.bz2
$ cd fail2ban-0.8.14 $ sudo python setup.py install
$ sudo cp files/macosx-initd /Library/LaunchDaemons/org.fail2ban.plist
$ sudo nano /Library/LaunchDaemons/org.fail2ban.plist
$ sudo touch /var/log/fail2ban.log $ sudo chgrp admin /var/log/fail2ban.log
table <fail2ban> persist block drop log quick from <fail2ban> to any
$ sudo pfctl -d $ sudo pfctl -f /etc/pf.conf $ sudo pfctl -e
useDNS no PermitRootLogin no
$ sudo /usr/local/bin/fail2ban-client start
$ sudo pfctl -t fail2ban -T show
[edit] Optional Installs
- Install IceFloor
- Install Xcode and MacPorts: https://guide.macports.org/chunked/installing.html
add the below line to /opt/local/etc/fail2ban/filters.d/ssh.conf
^%(__prefix_line)s(?:error: PAM: )?unknown user for illegal user .* from <HOST>( via \S+)?\s*$